CVE-2024-26011

Name of the Vulnerable Software and Affected Versions Fortinet FortiManager versions 6.4.0 through 6.4.14 Fortinet FortiManager versions 7.0.0 through 7.0.11 Fortinet FortiManager versions 7.2.0 through 7.2.4 Fortinet FortiManager versions 7.4.0 through 7.4.2 Fortinet FortiPAM version 1.0.0 through 1.0.3 Fortinet FortiPAM version 1.1.0 through 1.1.2 Fortinet FortiPAM version 1.2.0 Fortinet FortiProxy version 1.0.0 through 1.0.7 Fortinet FortiProxy version 1.1.0 through 1.1.6 Fortinet FortiProxy version 1.2.0 through 1.2.13 Fortinet FortiProxy version 2.0.0 through 2.0.14 Fortinet FortiProxy versions 7.0.0 through 7.0.17 Fortinet FortiProxy versions 7.2.0 through 7.2.9 Fortinet FortiProxy versions 7.4.0 through 7.4.2 Fortinet FortiSwitchManager version 7.0.0 through 7.0.3 Fortinet FortiSwitchManager versions 7.2.0 through 7.2.3 Fortinet FortiPortal version 6.0.0 through 6.0.14 Fortinet FortiOS version 6.0.0 through 6.0.18 Fortinet FortiOS version 6.2.0 through 6.2.16 Fortinet FortiOS version 6.4.0 through 6.4.15 Fortinet FortiOS versions 7.0.0 through 7.0.14 Fortinet FortiOS versions 7.2.0 through 7.2.7 Fortinet FortiOS versions 7.4.0 through 7.4.3

Description The issue is related to a missing authentication for a critical function in various Fortinet products, including FortiManager, FortiPAM, FortiProxy, FortiSwitchManager, FortiPortal, and FortiOS. This allows an attacker to execute unauthorized code or commands via specially crafted packets. The vulnerability is associated with deficiencies in the authentication procedure, which can be exploited by a remote attacker to send network packets to internal resources. An improper authentication vulnerability may allow an unauthenticated attacker to inject packets in tunnels established between a FortiManager and the targeted device.

Recommendations For Fortinet FortiManager versions 6.4.0 through 6.4.14, update to a version outside of this range. For Fortinet FortiManager versions 7.0.0 through 7.0.11, update to a version outside of this range. For Fortinet FortiManager versions 7.2.0 through 7.2.4, update to a version outside of this range. For Fortinet FortiManager versions 7.4.0 through 7.4.2, update to a version outside of this range. For Fortinet FortiPAM version 1.0.0 through 1.0.3, update to a version outside of this range. For Fortinet FortiPAM version 1.1.0 through 1.1.2, update to a version outside of this range. For Fortinet FortiPAM version 1.2.0, update to a version outside of this range. For Fortinet FortiProxy version 1.0.0 through 1.0.7, update to a version outside of this range. For Fortinet FortiProxy version 1.1.0 through 1.1.6, update to a version outside of this range. For Fortinet FortiProxy version 1.2.0 through 1.2.13, update to a version outside of this range. For Fortinet FortiProxy version 2.0.0 through 2.0.14, update to a version outside of this range. For Fortinet FortiProxy versions 7.0.0 through 7.0.17, update to a version outside of this range. For Fortinet FortiProxy versions 7.2.0 through 7.2.9, update to a version outside of this range. For Fortinet FortiProxy versions 7.4.0 through 7.4.2, update to a version outside of this range. For Fortinet FortiSwitchManager version 7.0.0 through 7.0.3, update to a version outside of this range. For Fortinet FortiSwitchManager versions 7.2.0 through 7.2.3, update to a version outside of this range. For Fortinet FortiPortal version 6.0.0 through 6.0.14, update to a version outside of this range. For Fortinet FortiOS version 6.0.0 through 6.0.18, update to a version outside of this range. For Fortinet FortiOS version 6.2.0 through 6.2.16, update to a version outside of this range. For Fortinet FortiOS version 6.4.0 through 6.4.15, update to a version outside of this range. For Fortinet FortiOS versions 7.0.0 through 7.0.14, update to a version outside of this range. For Fortinet FortiOS versions 7.2.0 through 7.2.7, update to a version outside of this range. For Fortinet FortiOS versions 7.4.0 through 7.4.3, update to a version outside of this range. As a temporary workaround, consider restricting access to critical functions until a patch is available.